Not Adhering to Responsible Disclosure has the Potential to Amplify the Threats Posed by Certain Vulnerabilities and Incidents

As a company that delivers intelligence derived from the Deep & Dark Web, we come across everything from stolen data and insider recruitment to emerging cyber and physical threats on a daily basis. These observations also mean that often, we identify organizations’ security vulnerabilities, existing threats, and critical incidents before they do. While such scenarios are growing increasingly common among threat intelligence vendors, the industry as a whole has yet to standardize and enforce guidelines pertaining to what happens next. What exactly should you do after uncovering that, for instance, an organization is unknowingly infected with dangerous malware, has yet to discover a large-scale data breach, or has a zero-day vulnerability with the potential to harm its entire base of end-users?

While it can be tempting to disclose findings of this nature to the public immediately through the media or other marketing means -- also known as “full disclosure” -- doing so could exacerbate the circumstances for attack victims and their broader networks. The ramifications can be enormous, which is why it’s time for threat intelligence vendors to model themselves after security researchers and recognize the critical need for responsible disclosure.

Serious implications for safety and security

First and foremost, not adhering to responsible disclosure has the potential to amplify the threats posed by certain vulnerabilities and incidents. By publicly exposing a zero-day vulnerability without giving the affected company sufficient time to address it, you also expose the vulnerability to threat actors who could potentially take advantage of it before a patch becomes available. And given that a patch may not always be made available immediately, it’s even more crucial that knowledge of the vulnerability remain as restricted as possible from those with the potential to abuse it.

Even in certain circumstances where knowledge of a vulnerability has already fallen into the wrong hands, public disclosure can be detrimental. For instance, let’s say you observe a small group of cybercriminals on an elite Dark Web forum discussing plans for exploiting a flaw in a popular mobile banking application. Suppose that this flaw would enable anyone to bypass the app’s anti-fraud measures, and as such, it renders the app’s entire end-user base extremely susceptible to fraud. While knowledge of the vulnerability was initially limited to a small group of elite cyber criminals, publicly disclosing it vastly increases the number of people able to abuse and capitalize on it, thereby rendering even more end-users susceptible. Such practices can be especially damaging in situations where the vulnerability affects the company’s critical systems, sensitive information, and/or broader network of stakeholders.

The consequences of victim-shaming

Aside from the security and safety implications of not adhering to responsible disclosure, such practices facilitate victim-shaming -- to which numerous negative, widespread implications are inherent. First, victim-shaming can be a PR nightmare for the affected organization. An abundance of negative press and countless inquiries typically means that the organization may need to waste precious time and resources assuaging fears and responding -- often without clear answers -- to the media, customers, stakeholders, shareholders, and others. In many cases, bad PR of this nature can sensationalize the threat, vulnerability, or incident, leading to large-scale public overreaction with the potential to ripple outward even further and take more time and resources away from the affected organization.

For the vendors whose disclosure of an organization’s sensitive information leads to unnecessary public outcry and/or victim-shaming, the consequences can be substantial. Regardless of whether this is the case, vendors who engage in such practices may appear to be hurting another brand’s reputation as a means of gaining media coverage, earning industry recognition, and building their own name. As threat intelligence vendors, we often face intense pressure and competition to be the first to release “breaking news” and identify critical information for the broader community. While public disclosure of certain vulnerabilities and affected organizations may be tempting for these reasons, it’s crucial to recognize that the potential negative fallout may be neither productive nor conducive to upholding the culture of security awareness we all strive for.

Intelligent disclosure

Although security researchers have been key proponents of responsible disclosure for years, established practices and protocol are just beginning to gain traction among intelligence vendors. At Flashpoint, while our approach varies depending on the nature and severity of the threat posed by the vulnerability and/or incident, it’s always our first priority to notify the affected organization immediately. From there, we work with the organization to ensure that vulnerabilities have been addressed and threats mitigated; and in many cases, we can do so without ever naming the organization publicly.

Often, responsible disclosure means announcing the key facts surrounding an incident -- typically, what others need to know in order to protect themselves -- without disclosing all of the unnecessary specifics. For instance, we may announce the ways in which a large healthcare organization on the west coast became the victim of ransomware, indicators of the specific strain of ransomware, and what other organizations can do to avoid a similar fate.

Under certain circumstances where our team feels that withholding the information could raise others’ risk levels substantially but will not exacerbate the threat, we do release it to the public -- but in an informative way that answers all questions, explains the risk accurately, outlines any actions those affected may need to take. This type of disclosure ultimately saves the affected organization substantial time and resources by informing the public in an organized way. Ultimately, it’s our job to help our customers and the broader community protect themselves and mitigate risk -- not expose them to more risk.

Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.